Malware Analysis Report

2025-08-05 10:05

Sample ID 230430-18aa2seb68
Target LummaC2-corps.exe.bin
SHA256 0f40b111497b78b928a42f3c4f2e0c988be7ee5b3b0d523300685b75a2aadf06
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f40b111497b78b928a42f3c4f2e0c988be7ee5b3b0d523300685b75a2aadf06

Threat Level: Known bad

The file LummaC2-corps.exe.bin was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Detect Lumma Stealer payload V2

Lumma family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-30 22:18

Signatures

Detect Lumma Stealer payload V2

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-30 22:18

Reported

2023-04-30 22:35

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe

"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"

Network

Country Destination Domain Proto
NL 8.238.179.126:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.182.141.63:443 tcp
NL 8.238.179.126:80 tcp
NL 8.238.179.126:80 tcp
US 52.152.110.14:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-30 22:18

Reported

2023-04-30 22:34

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Processes

C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe

"C:\Users\Admin\AppData\Local\Temp\LummaC2-corps.exe"

Network

Country Destination Domain Proto
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp
BG 195.123.226.167:80 tcp

Files

N/A